[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf and detection of non-resolvable ip numbers



On Thu, Apr 13, 2006 at 01:58:10PM +0200, Michael Schmidt wrote:
> Lars Hansson wrote:
> 
> >On Thursday 13 April 2006 18:05, Michael Schmidt wrote:
> > 
> >
> >>reading several man pages did give no answer to this:
> >>Is there a way within pf that pf can detect especially those ip numbers
> >>which do not belong to a hostname, in other words which are not
> >>resolvable to hostnames?
> >>   
> >>
> >
> >No. Perhaps you could create some ugly cludge by logging all and have a 
> >cron job read the pflog logfile and do reverse lookups but I highly doubt 
> >it would be feasible or even work.
> > 
> >
> 
> Meanwhile I have seen after having sent my initial mail that there is a 
> way similar to your suggestion without the need of explicit dns lookups, 
> as it includes implicit lookups.
> 
> In the pf.conf if you have any rule combined with log functionality then 
> its logged into the pflog file, that file contains either hostnames or 
> ip numbers, in case of ip numbers the ip numbers could not be resolved 
> to hostnames.
> This behaviour is that a stand one?

Yes, it is standard behaviour of tcpdump(8). See -n, and pflogd(8).

DNS lookups would slow pf(4) down by far too much. Don't try it.

> >>The reason why I am asking is that I want to catch especially these
> >>connections.
> >>   
> >>
> >
> >I cant help but ask why?
> > 
> >
> 
> You are right to ask why.
> The reason is I want to achieve this task: We have a few bad users which 
> give themselves ip numbers (free unused ones out of our pool), I want to 
> catch the ip numbers taken by those users.

There are several wrong ways to go about this, you picked one.

ISTR a patch to dhcpd appearing on the tech@ list a month or so ago,
that would be one proper solution. However, whether you use this one or
some homegrown script, the point should be to add authentic IPs to a
table and filter on the table.

However, if your network is not physically secure, the fun only begins
with people giving themselves some random IP address[1]. And some
protocols - anything UDP-based, for instance, and TCP on buggy stacks,
and ... - can be spoofed easily, anyway.

		Joachim

[1] Assuming this is not just someone trying to be smart, or trying to
get things done without configuring dhcp for some reason.



Visit your host, monkey.org